Hunt package for 108 IOCs associated with ClearFake
Malware Family: ClearFake Total IOCs: 108 IOC Types: domain
| Type | Value | Threat Type | First Seen | Confidence |
|---|---|---|---|---|
| domain | scr14-sync.vouayger.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | tideruntime.checkbro.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | 4wm0.woodflo.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | unitmed.goodwork.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | checkcipher.besthire.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | serv4base.veloxunit.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | edge3dist.veloxunit.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | node2flow.veloxunit.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | unit1meta.veloxunit.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | main4point.nuxbase.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | data3sync.nuxbase.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | gate2proxy.nuxbase.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | web1infra.nuxbase.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | sat4link.termocenter.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | rock3core.termocenter.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | base2steel.termocenter.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | moon1orbit.termocenter.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | open4space.altasync.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | vast3field.altasync.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | zone2area.altasync.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | rim1outer.altasync.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | path4gate.protovoda.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | view3sync.protovoda.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | scan2point.protovoda.in.net | payload_delivery | 2026-03-19 | 100% |
| domain | room1dark.protovoda.in.net | payload_delivery | 2026-03-19 | 100% |
// Hunt for DNS queries to known malicious domains
// Source: ThreatFox - ClearFake
let malicious_domains = dynamic(["scr14-sync.vouayger.in.net", "tideruntime.checkbro.in.net", "4wm0.woodflo.in.net", "unitmed.goodwork.in.net", "checkcipher.besthire.in.net", "serv4base.veloxunit.in.net", "edge3dist.veloxunit.in.net", "node2flow.veloxunit.in.net", "unit1meta.veloxunit.in.net", "main4point.nuxbase.in.net", "data3sync.nuxbase.in.net", "gate2proxy.nuxbase.in.net", "web1infra.nuxbase.in.net", "sat4link.termocenter.in.net", "rock3core.termocenter.in.net", "base2steel.termocenter.in.net", "moon1orbit.termocenter.in.net", "open4space.altasync.in.net", "vast3field.altasync.in.net", "zone2area.altasync.in.net", "rim1outer.altasync.in.net", "path4gate.protovoda.in.net", "view3sync.protovoda.in.net", "scan2point.protovoda.in.net", "room1dark.protovoda.in.net", "sync4vision.luxalabs.in.net", "ghost3node.luxalabs.in.net", "shell2core.luxalabs.in.net", "trace1alpha.luxalabs.in.net", "link4access.optigrid.in.net", "auth3user.optigrid.in.net", "base2point.optigrid.in.net", "glob1infra.optigrid.in.net", "flow4work.densapoint.in.net", "net3local.densapoint.in.net", "sys2power.densapoint.in.net", "mon1point.densapoint.in.net", "entry4link.metracore.in.net", "dev3host.metracore.in.net", "rpc2remote.metracore.in.net", "cloud1store.metracore.in.net", "hub4sync.vivaflux.in.net", "gate3proxy.vivaflux.in.net", "app2data.vivaflux.in.net", "web1meta.vivaflux.in.net", "db4static.flexonode.in.net", "cdn3edge.flexonode.in.net", "api2sync.flexonode.in.net", "srv1node.flexonode.in.net", "main-v4-point.vortex-lab.in.net"]);
DnsEvents
| where Name has_any (malicious_domains)
| project TimeGenerated, Computer, Name, IPAddresses, QueryType
| order by TimeGenerated desc| Sentinel Table | Notes |
|---|---|
DnsEvents | Ensure this data connector is enabled |